LDAP-UX Client Services B.04.15 with Microsoft Windows Active Directory Server Administrator's Guide (edition 8)
Table Of Contents
- LDAP-UX Client Services B.04.15 with Microsoft Windows Active Directory Administrator's Guide
- Table of Contents
- Preface
- 1 Introduction
- 2 Installing LDAP-UX Client Services
- Before You Begin
- Summary of Installing and Configuring LDAP-UX Client Services
- Planning Your Installation
- Installing LDAP-UX Client Services on a Client
- Configuring Active Directory for HP-UX Integration
- Step 1: Install Active Directory
- Step 2: Install SFU 2.0, 3.0 or 3.5 including Server for NIS
- Step 3: Create a Proxy User
- Step 4: Add an HP-UX Client Machine Account to Active Directory
- Step 5: Use ktpass to Create the Keytab File for the HP-UX client machine
- Step 6: Add POSIX Attributes into the Global Catalog
- Importing Name Service Data into Your Directory
- Configuring LDAP-UX Client Services
- Step 1: Run the Setup Program
- Step 2: Install the PAM Kerberos Product
- Step 3: Configure Your HP-UX Machine to Authenticate Using PAM Kerberos
- Step 4: Configure the Name Service Switch (NSS)
- Step 5: Configure the PAM Authorization Service Module (pam_authz)
- Step 6: Configure the Disable Login Flag
- Step 7: Verify LDAP-UX Client Services for Single Domain
- Step 8: Configure Subsequent Client Systems
- Configuring the LDAP-UX Client Services with SSL or TLS Support
- Downloading the Profile Periodically
- 3 Active Directory Multiple Domains
- 4 LDAP-UX Client Services with AutoFS Support
- 5 LDAP Printer Configurator Support
- 6 Dynamic Group Support
- 7 Administering LDAP-UX Client Services
- Using the LDAP-UX Client Daemon
- Integrating with Trusted Mode
- SASL GSSAPI Support
- PAM_AUTHZ Login Authorization
- Policy And Access Rules
- How Login Authorization Works
- PAM_AUTHZ Supports Security Policy Enforcement
- Policy File
- Policy Validator
- Dynamic Variable Support
- Constructing an Access Rule in pam_authz.policy
- Static List Access Rule
- Dynamic Variable Access Rule
- Security Policy Enforcement with Secure Shell (SSH) or r-commands
- Adding Additional Domain Controllers
- Adding Users, Groups, and Hosts
- User and Group Management
- Displaying the Proxy User's Distinguished Name
- Verifying the Proxy User
- Creating a New Proxy User
- Displaying the Current Profile
- Creating a New Profile
- Modifying a Profile
- Changing Which Profile a Client is Using
- Creating an /etc/krb5.keytab File
- Considering Performance Impacts
- Client Daemon Performance
- Troubleshooting
- 8 Modifying User Information
- 9 Mozilla LDAP C SDK
- A Configuration Worksheet
- B LDAP-UX Client Services Object Classes
- C Command, Tool, Schema Extension Utility, and Migration Script Reference
- LDAP-UX Client Services Components
- Client Management Tools
- LDAP User and Group Management Tools
- Environment Variables
- Return Value Formats
- Common Return Codes
- The ldapuglist Tool
- The ldapugadd Tool
- The ldapugmod Tool
- The ldapugdel Tool
- The ldapcfinfo Tool
- LDAP Directory Tools
- Schema Extension Utility
- Name Service Migration Scripts
- Unsupported Contributed Tools and Scripts
- D Sample PAM Configuration File
- E Sample /etc/krb5.conf File
- F Sample /etc/pam.conf File for HP-UX 11i v1 Trusted Mode
- G Sample /etc/pam.conf File for HP-UX 11i v2 Trusted Mode
- H Sample PAM Configuration File for Security Policy Enforcement
- Glossary
- Index
Security Considerations
Be aware of the following security considerations when you use ldapugmod:
• The ldapugmod tool requires an LDAP administrator permissions when it performs
operations on the directory server. The rights to modify existing LDAP directory entries
under the requested subtree, and to create, modify and remove the required attributes in
that entry must be granted to the administrator identity that you specify when executing
ldapugmod.
• With any POSIX-type identity, the user and group ID numbers are used by the HP-UX
operating system to determine rights and capabilities in the OS as well as in the file system.
For example, a root user ID 0 has unlimited OS administration and file access rights. Before
modifying an entry, you must be aware of the selected user and group ID number and any
policy that may be associated with that ID.
• Modification (renaming) of a POSIX account does not automatically modify that account’s
membership in groups, unless the LDAP directory server intrinsically provides that capability.
Some LDAP directory servers have a feature known as “referential integrity”, which performs
modification or removal of DN-type attributes if the specified DN is either changed or
removed
• As it may occur in any identity repository, modification of this repository has likely impacts
as defined by the organization security policy. When using ldapugmod, you are expected
to have full knowledge of the organization security policy and the impact of modifying
identity information in that identity repository.
Limitations
Because LDAP directories require data be stored according to the UTF-8 (RFC3629) character
encoding method, all characters displayed by ldapugmod are UTF-8, and assumed to be part of
the ISO-10646 character set. The ldapugmod tool does not perform conversion of the locale
character set to or from the UTF-8 character set.
Examples
This section provides examples of using the ldapugmod tool.
The following commands set the LDAP_BINDDN and LDAP_BINDCRED environment variables:
export LDAP_BINDDN = "cn=Jane Admin,ou=admins,dc=org,dc=example,dc=com"
export LDAP_BINDCRED = "Jane's password"
Run the following command to go to the /opt/ldapux/bin directory where ldapugmod
resides:
cd /opt/ldapux/bin
The following command changes the password of the user, mlee, using the new user password
defined in LDAP_UGCRED. You must specify the -PW option when using LDAP_UGCRED.
export LDAP_UGCRED = "mlee's new password"
./ldapugmod -t passwd -PW mlee
The following command replaces the uidNumber value for the user entry, mMackey:
./ldapugmod -t passwd -u 300 mMackey
The following command replaces the sn value for the user entry, mLou:
./ldapugmod -t passwd mLou "sn=Lou"
The following command replaces the gecos fields for the user entry, mLou:
./ldapugmod -t passwd -I "Mike Lou,Building-6,222-2222" mLou
LDAP User and Group Management Tools 211